CVE-2026-32267

CRITICAL

Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

Title source: cna

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

References (2)

[X_Refsource_Confirm] https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf

[X_Refsource_Misc] https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 11.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (6)

craftcms/cms 4.0.0-RC1 - 4.17.6Packagist

craftcms/cms >= 4.0.0-RC1, < 4.17.6

craftcms/cms >= 5.0.0-RC1, < 5.9.12

craftcms/craft_cms 4.0.0 (4 CPE variants)

craftcms/craft_cms 5.0.0 (2 CPE variants)

craftcms/craft_cms 4.0.0.1 - 4.17.6

Published Mar 16, 2026

Tracked Since Mar 17, 2026